From c4953409aa91ddbaf9c53f8ed14acbdf1bb94f6d Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 4 Aug 2020 14:31:20 +0200
Subject: [PATCH] rule: TAIDOOR malware load
 https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

---
 .../process_creation/win_apt_taidoor.yml      | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/process_creation/win_apt_taidoor.yml

diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml
new file mode 100644
index 00000000..2bff776f
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_taidoor.yml
@@ -0,0 +1,26 @@
+title: TAIDOOR RAT DLL Load
+id: d1aa3382-abab-446f-96ea-4de52908210b
+status: experimental
+description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
+references:
+    - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
+author: Florian Roth
+date: 2020/07/30
+tags:
+    - attack.execution
+    - attack.t1055.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains:
+            - 'dll,MyStart'
+            - 'dll MyStart'
+    selection2:
+        CommandLine|endswith:
+            - ' MyStart'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical